Phishing or What?? How I Got Access to the Internal Email of a Company

Introduction 介绍

Hey guys, good to have you back on my blog. This is a bug that I found last September, but this vulnerability was a different one. Though not a very severe one, as it was marked as low, believe me, it was a very interesting one as I had a lot of fun after discovering this bug.
嘿，伙计们，很高兴你们回到我的博客上。这是我去年 9 月发现的一个错误，但这个漏洞是一个不同的漏洞。虽然不是很严重，因为它被标记为低，但相信我，这是一个非常有趣的错误，因为在发现这个错误后我玩得很开心。

So in this vulnerability I was able to send emails to anyone in the world with a real, valid internal email of an ecommerce company. This was a fun experience and I just wanted to share with you all, about this easy to find but interesting bug.
因此，在这个漏洞中，我能够使用电子商务公司的真实，有效的内部电子邮件向世界上的任何人发送电子邮件。这是一次有趣的经历，我只想与大家分享这个容易找到但有趣的错误。

Tip of the blog : Make notes
博客小贴士：做笔记

I’ve adopted a new technique that’s really paying off, and I’d like to share it with you all. What I do is grab a sticky note, place it beside my trackpad, and use it to jot down important points while testing a website.
我采用了一种真正有回报的新技术，我想与大家分享。我所做的就是拿起一张便签，把它放在我的触控板旁边，并在测试网站时用它来记下要点。

Let’s get started 让我们开始吧

So, another day, another bug, another story!!!
所以，又是一天，又是错误，又是另一个故事!!

Once again, I found myself testing an e-commerce site, which I’ll refer to as “redacted.com”.
再一次，我发现自己正在测试一个电子商务网站，我称之为“redacted.com”。
Learning from my past newbie’s experience, I made sure to explore all the functionalities the site had to offer and also noted down all those that appeared potentially vulnerable, with the intention of testing them further later on. These included the admin login page, user profiles, the contact us form, and even the supplier portal.
从我过去的新手经验中吸取教训，我确保探索网站必须提供的所有功能，并记下所有看起来可能容易受到攻击的功能，以便稍后进一步测试它们。其中包括管理员登录页面、用户配置文件、联系我们表格，甚至供应商门户。

Rediscovering the ‘Contact Us’ Form
重新发现“联系我们”表格

After not being able to find any bugs for like few hours, I went back to my notes to review what I had tested and what I might have missed.
在几个小时内找不到任何错误之后，我回到我的笔记中回顾了我测试过的内容以及我可能遗漏的内容。
That’s when I noticed the ‘Contact Us’ form, which I had completely forgotten about.
就在那时，我注意到了“联系我们”表格，我完全忘记了它。

So I decided to give it a shot and tested it. Just as I captured the request after filling in all the details, I noticed something out-of-the-box.
所以我决定试一试并测试它。就像我在填写完所有细节后捕获请求一样，我注意到了一些开箱即用的东西。
There were keys named “to”, “from”, “subject”, “html”!!!!
有名为“to”、“from”、“subject”、“html”的键!!!

And yes you guessed it right, I could change their values, and a check was only applied on the “from” param.
是的，你猜对了，我可以更改它们的值，并且只对“from”参数应用检查。
So now, I could mail anything to anyone from a mail that belongs to the company I was testing.
所以现在，我可以从属于我正在测试的公司的邮件中向任何人邮寄任何东西。

And the most interesting thing was that in the “html” all the html tags were working, so I was able to customize the email body however I want, can add links, icons, buttons, anything at all.
最有趣的是，在“html”中，所有html标签都可以工作，因此我能够随心所欲地自定义电子邮件正文，可以添加链接，图标，按钮，任何东西。
So I copy pasted the whole structure of what the real email from that company looks like and added malicious links to it.
因此，我复制粘贴了该公司真实电子邮件的整个结构，并向其添加了恶意链接。

Now, just imagine a scenario where you receive an email like this, but it’s from a hacker.
现在，想象一下这样的场景，您收到一封这样的电子邮件，但它来自黑客。

Fascinating but potentially dangerous!!!!!
引人入胜但具有潜在危险!!!!

I created a report and submitted it on HackerOne. After a few hours, I got a reply and the severity was downgraded to low. I had originally marked it as ‘High’, though.
我创建了一个报告并将其提交到 HackerOne 上。几个小时后，我收到了回复，严重程度被降级为低。不过，我最初将其标记为“高”。

I researched some more and learned about the service they were using to send emails. I discovered some new parameters, most of which were not that interesting, like “cc” and “bcc”. However, I found out that we could also add attachments to the emails.
我研究了更多，并了解了他们用来发送电子邮件的服务。我发现了一些新参数，其中大部分都不是那么有趣，比如“cc”和“bcc”。但是，我发现我们还可以在电子邮件中添加附件。

I added a few more comments to the report, showing them all the possibilities with this vulnerability. In the end, this convinced them to raise the severity to ‘Medium’, which was good enough for me.
我在报告中又添加了一些评论，向他们展示了这个漏洞的所有可能性。最后，这说服了他们将严重性提高到“中等”，这对我来说已经足够了。

Fun Part 趣味部分

Now comes the most fun part of this experience. It felt like I had a lot of power in my hands, which I knew how to use, until the bug was resolved.😈😈😈.
现在是这次体验中最有趣的部分。感觉就像我手里有很多权力，我知道如何使用它，直到错误得到解决。 😈😈😈

I created a well-structured email, taking care of every minute detail. And this was the result!
我创建了一封结构良好的电子邮件，照顾到每一个细节。这就是结果！

Finding this vulnerability was worth my efforts, and I realized this when I sent the email to a friend of mine.😈😈😈
发现这个漏洞是值得的，当我把电子邮件发给我的一个朋友时，我意识到了这一点。 😈😈😈

And to satisfy your curiosity about what was inside that assessment link, here is the link
为了满足您对评估链接中内容的好奇心，这里是链接

See you in the next blog!😉😉
下一篇博客见！ 😉😉

原文始发于whit3ros3：Phishing or What?? How I Got Access to the Internal Email of a Company